Author: kib
Date: Thu May 14 10:54:57 2009
New Revision: 192094
URL: http://svn.freebsd.org/changeset/base/192094
Log:
Do not advance req->oldidx when sysctl_old_user returning an
error due to copyout failure or short buffer.
The later breaks the usermode iterators of the sysctl results that pack
arbitrary number of variable-sized structures. Iterator expects that
kernel filled exactly oldlen bytes, and tries to interpret half-filled
or garbage structure at the end of the buffer. In particular,
kinfo_getfile(3) segfaulted.
Reported and tested by: pho
MFC after: 3 weeks
Modified:
head/sys/kern/kern_sysctl.c
Modified: head/sys/kern/kern_sysctl.c
==============================================================================
--- head/sys/kern/kern_sysctl.c Thu May 14 10:47:11 2009 (r192093)
+++ head/sys/kern/kern_sysctl.c Thu May 14 10:54:57 2009 (r192094)
@@ -1221,9 +1221,9 @@ sysctl_old_kernel(struct sysctl_req *req
if (i > 0)
bcopy(p, (char *)req->oldptr + req->oldidx, i);
}
- req->oldidx += l;
if (req->oldptr && i != l)
return (ENOMEM);
+ req->oldidx += l;
return (0);
}
@@ -1320,9 +1320,10 @@ sysctl_old_user(struct sysctl_req *req,
size_t i, len, origidx;
origidx = req->oldidx;
- req->oldidx += l;
- if (req->oldptr == NULL)
+ if (req->oldptr == NULL) {
+ req->oldidx += l;
return (0);
+ }
/*
* If we have not wired the user supplied buffer and we are currently
* holding locks, drop a witness warning, as it's possible that
@@ -1344,6 +1345,7 @@ sysctl_old_user(struct sysctl_req *req,
return (error);
if (i < l)
return (ENOMEM);
+ req->oldidx += l;
return (0);
}
_______________________________________________
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"
